ronald@robobar.co.uk (Ronald S H Khoo) (12/31/90)
[ this really wants to go to alt.security.d, but seeing as it doesn't exist, I've redirected to alt.security. Sorry folx ] tronix@polari.UUCP (David Daniel) writes: > [remainder of security hole explanation deleted] [ the setuid-to-uucp uudecode one ] > You should have answered this person via e-mail with a cc to root. Nope. It's a general interest question that pops up from time to time, sometimes I give the answer, sometimes I don't. Maybe it should go into the FAQ. It's hardly new, nor is it hard to find (find / -perm would have found it straight away, and I can't see any half competent cracker missing that trick) Has someone got a summary of the last 30 "you should not have posted that, Oh yes I should, Oh no you shouldn't" discussions taht we've had which they can mail to Mr. Daniel ? > I'm glad I don't have an account on his system. Why? What can a cracker do with a uucp shell? Get network passwords to fund his cracking with ? Forge mail (that's easy enough anyway) ? That's his sysadmin's problem, not yours. Nothing to crack *your* account with that I know of, unless someone knows one. Please post. If such a hole exists, I want to plug it. Ronald, at this point, pretty fed up with all this pettiness... -- ronald@robobar.co.uk +44 81 991 1142 (O) +44 71 229 7741 (H)